pebble
pebble copied to clipboard
Configuration parameter for certificate lifetime.
Boulder allows configuration of issued end entity certificate lifetime. Pebble presently hard-codes it: https://github.com/letsencrypt/pebble/blob/0abe0523af6f711c2f4c4a29a3a9a5f91aa9282e/ca/ca.go#L197
RFC 8555 7.5 specifies that a new order request may have optional notBefore
and notAfter
fields as one way to have configurable certificate lifetimes. I'm not keen on implementing this in Pebble because I feel like it was a specification mistake to give server's no ability to adjust the requested dates (e.g. to back date). It's extremely unlikely we would implement processing of these order fields in Boulder, even if we allowed shorter certificate lifetimes.
Rather than implement the notBefore
/notAfter
fields of RFC 8555 I think Pebble should follow Boulder's lead and make the static certificate lifetime configurable in the Pebble config file loaded at startup. This is a simple solution that would meet the needs of developer requests like this.
this feature would have made this past week much easier on me ;)
if this happens, could it please share the same config name as boulder?
As this is still an open issue for more than 2 years. Is there another approach of locally testing/developing the let's encrypt issuing and renewal mechanisms without waiting days for the expiry?
I know I can clone this repo and modify the hardcoded value, but I have the feeling maybe pebble was built for a different use case and I am using it for the wrong purpose.
My use case is to locally develop and test (manually and automatically) a docker-compose based certbot system and certmanager based k8s setups.
Thx for any hints.
FWIW, inspecting the code I found the "CertificateValidityPeriod" config variable! I don't know how long it's been there, I didn't see it in the information on the site (and that's why I got to this issue). But it works. You can define a value in seconds:
"certificateValidityPeriod": 259200,
and your certificates will last only for 3 days!
@huguei August 2021. See https://github.com/letsencrypt/pebble/pull/361 and https://github.com/letsencrypt/pebble/commit/7d978476390154012fc67980a766b954e8572823